Bug 1303070 - boinc-client runs unconfined
boinc-client runs unconfined
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: boinc-client (Show other bugs)
23
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Laurence Field
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-29 08:02 EST by DaveG
Modified: 2016-05-31 05:22 EDT (History)
11 users (show)

See Also:
Fixed In Version: boinc-client-7.6.22-4.fc23 boinc-client-7.6.22-4.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-26 06:55:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/etc/systemd/system/boinc-client.service (392 bytes, text/plain)
2016-01-29 08:02 EST, DaveG
no flags Details

  None (edit)
Description DaveG 2016-01-29 08:02:49 EST
Created attachment 1119423 [details]
/etc/systemd/system/boinc-client.service

Description of problem:

The BOINC client service should be running in a confined context but there appears to be a disconnect in the SELinux transition, probably due to the introduction of a “wrapper script”.

Rather than run the client service directly, the systemd unit file executes the wrapper that then runs the service, redirecting stderr and stdout. Unit (boinc_unit_file_t) and binary (boinc_exec_t) files are both correctly tagged but the bash wrapper has default context (bin_t).

The result is that the service process runs as unconfined_service_t rather than boinc_t, as intended.


Version-Release number of selected component (if applicable):

F22 through rawhide.


How reproducible:

Always.


Steps to Reproduce:
1. Install and start boinc-client.
2. ps -efZ | fgrep boinc_client


Actual results:

system_u:system_r:unconfined_service_t:s0    boinc     1259     1  0 Jan21 ?        00:10:28 /usr/bin/boinc_client ...



Expected results:

system_u:system_r:boinc_t:s0    boinc     1259     1  0 Jan21 ?        00:10:28 /usr/bin/boinc_client ...


Additional info:

The problem is the wrapper script, /usr/bin/boinc. It's function is to redirect detailed logging from BOINC to log files under /var/log.

One alternative that I currently use is to run the BOINC client in daemon mode (forking) directly from the systemd unit file. In daemon mode stderr and stdout are written to files in the working directory, /var/lib/boinc/{stderrdae.txt,stdoutdae.txt}. These are symbolic links to files in /var/log.

This changes the unit file service type from simple to forking. The BOINC client does not have a PID file option but systemd guesses the PID accurately.

My working systemd unit file is attached.

Either the package or the unit file would need to set up the symbolic links.

Without the wrapper script the SELinux transitions work as expected and the BOINC client runs confined.
Comment 1 DaveG 2016-01-29 08:23:50 EST
Minor issue:

The systemd unit file should not have execute permission.

install -p -m755 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service
  should be
install -p -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service

Ref:
http://pkgs.fedoraproject.org/cgit/rpms/boinc-client.git/tree/boinc-client.spec#n217
Comment 2 Germano Massullo 2016-01-29 09:11:08 EST
Thank you DaveG for your extensive explanation.
Could CC'ed SELinux developers please provide a feedback about this problem?
Thank you for your time.
Comment 3 Fedora Update System 2016-02-25 05:22:30 EST
boinc-client-7.6.22-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-268bdbd1df
Comment 4 Fedora Update System 2016-02-25 05:22:30 EST
boinc-client-7.6.22-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-89ece19b35
Comment 5 Fedora Update System 2016-02-25 05:23:10 EST
boinc-client-7.6.22-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e698a1a52
Comment 6 Fedora Update System 2016-02-26 15:52:31 EST
boinc-client-7.6.22-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e698a1a52
Comment 7 Fedora Update System 2016-02-26 15:53:39 EST
boinc-client-7.6.22-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-89ece19b35
Comment 8 Fedora Update System 2016-02-26 21:20:34 EST
boinc-client-7.6.22-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-268bdbd1df
Comment 9 Fedora Update System 2016-05-16 12:28:03 EDT
boinc-client-7.6.22-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517
Comment 10 Fedora Update System 2016-05-16 14:50:58 EDT
boinc-client-7.6.22-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517
Comment 11 Fedora Update System 2016-05-16 15:36:37 EDT
boinc-client-7.6.22-4.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-06a48f3a5f
Comment 12 Fedora Update System 2016-05-17 18:00:55 EDT
boinc-client-7.6.22-4.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-06a48f3a5f
Comment 13 Fedora Update System 2016-05-17 18:00:59 EDT
boinc-client-7.6.22-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517
Comment 14 Germano Massullo 2016-05-22 16:39:49 EDT
Hi Dave, on F24, using the following .service file, I still get problems with the SELinux's BOINC confinement.

======
# ps -efZ | fgrep boinc_client
system_u:system_r:boinc_t:s0    boinc     9509     1  0 12:30 ?        00:00:32 /usr/bin/boinc_client --daemon --start_delay 1
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655  0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client
======

==========
[Unit]
Description=Berkeley Open Infrastructure Network Computing Client
Documentation=man:boinc(1)
After=network-online.target

[Service]
Type=forking
Nice=10
User=boinc
Group=boinc
PermissionsStartOnly=yes
WorkingDirectory=/var/lib/boinc
ExecStartPre=/usr/bin/touch /var/log/boinc.log /var/log/boinc_err.log
ExecStartPre=/bin/chown boinc:boinc /var/log/boinc.log /var/log/boinc_err.log
ExecStart=/usr/bin/boinc_client --daemon --start_delay 1
ExecStop=/usr/bin/boinccmd --quit
ExecReload=/usr/bin/boinccmd --read_cc_config
ExecStopPost=/bin/rm -f /var/lib/boinc/lockfile
IOSchedulingClass=idle
Environment=LOGFILE=/var/log/boinc.log
Environment=ERRORLOG=/var/log/boinc_err.log
Environment=SYSTEMD_LOG_LEVEL=debug

[Install]
WantedBy=multi-user.target
==========

I inserted [Enviroment] while (still unsuccessful) trying to find out why BOINC does not fill logs files. [1][2]

Do you have any idea?
Have a nice day

[1]: https://boinc.berkeley.edu/dev/forum_thread.php?id=11011
[2]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/K3LSOGW2CL3UYFMALIWNMGEYOBP7C3V4/
Comment 15 DaveG 2016-05-22 17:58:35 EDT
Logging has stopped for me too. Last entry on 2016-05-16.

Looks like it's SELinux file context on the stderr log file triggering an AVC and boinc is giving up on all logging.

Managed to fix it for me (F22) with:

semanage fcontext --add --type boinc_log_t --ftype f '/var/log/boincerr\.log.*'
restorecon -Fv /var/log/boinc*
systemctl restart boinc-client.service

Check your logs for AVCs on client start.

Still need to check that logrotate still works...

Is boinc in flux? The man page has ...
       --daemon
              Run as daemon. Will redirect stderr and stdout to syslog.

... and the code appears to use syslog.h but my client still uses stderrdae.txt and stdoutdae.txt when run with --daemon. Still, no worries.

FYI, my (now working config)...
# cat /etc/systemd/system/boinc-client.service
[Unit]
Description=Berkeley Open Infrastructure Network Computing Client
Documentation=man:boinc(1)
After=network-online.target

[Service]
Type=forking
Nice=10
User=boinc
WorkingDirectory=/var/lib/boinc
ExecStart=/usr/bin/boinc_client --daemon --start_delay 1
ExecStop=/usr/bin/boinccmd --quit
ExecReload=/usr/bin/boinccmd --read_cc_config

[Install]
WantedBy=multi-user.target

# cat /etc/logrotate.d/boinc-client
/var/log/boinc.log /var/log/boincerr.log {
	missingok
	notifempty
	copytruncate
	compress
	delaycompress
	nomail
}

# ls -lZ /var/log/boinc*
-rw-rw-r--. 1 boinc boinc system_u:object_r:boinc_log_t:s0     0 Jan 14 13:04 /var/log/boincerr.log
-rw-rw-r--. 1 boinc boinc system_u:object_r:boinc_log_t:s0  3465 May 22 22:37 /var/log/boinc.log

# ls -lZ /var/lib/boinc/std*
lrwxrwxrwx. 1 root  root  unconfined_u:object_r:boinc_var_lib_t:s0   21 May 22 22:29 /var/lib/boinc/stderrdae.txt -> /var/log/boincerr.log
-rw-r--r--. 1 boinc boinc system_u:object_r:boinc_var_lib_t:s0        0 Feb 25  2014 /var/lib/boinc/stderrgpudetect.txt
lrwxrwxrwx. 1 root  root  unconfined_u:object_r:boinc_var_lib_t:s0   18 May 22 22:29 /var/lib/boinc/stdoutdae.txt -> /var/log/boinc.log
-rw-r--r--. 1 boinc boinc system_u:object_r:boinc_var_lib_t:s0     8364 May 22 22:37 /var/lib/boinc/stdoutgpudetect.txt

# ls -lZ /usr/bin/boinc_client
-rwxr-xr-x. 1 root root system_u:object_r:boinc_exec_t:s0 929448 Jan 31 17:42 /usr/bin/boinc_client
Comment 16 Germano Massullo 2016-05-23 10:20:40 EDT
My error:  Lukas Vrabec told me that
======
# ps -efZ | fgrep boinc_client
system_u:system_r:boinc_t:s0    boinc     9509     1  0 12:30 ?        00:00:32 /usr/bin/boinc_client --daemon --start_delay 1
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655  0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client
======

in Comment 14 is fine since

system_u:system_r:boinc_t:s0    boinc     9509     1  0 12:30 ?        00:00:32 /usr/bin/boinc_client --daemon --start_delay 1

is confined and 

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655  0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client

is related to the grep command. So I can push the builds on stable.
For the log bug I am going to open another bugreport where we can co-operate, if you want (I would be glad!).
Comment 17 Fedora Update System 2016-05-26 06:55:20 EDT
boinc-client-7.6.22-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2016-05-31 05:22:06 EDT
boinc-client-7.6.22-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.